patents.google.com

US20070245412A1 - System and method for a communication system - Google Patents

️Thu Oct 18 2007

US20070245412A1 - System and method for a communication system - Google Patents

System and method for a communication system Download PDF

Info

Publication number

US20070245412A1

US20070245412A1 US11/403,548 US40354806A US2007245412A1 US 20070245412 A1 US20070245412 A1 US 20070245412A1 US 40354806 A US40354806 A US 40354806A US 2007245412 A1 US2007245412 A1 US 2007245412A1 Authority

United States

Prior art keywords

communication

controller

external

community

endpoint

Prior art date

2006-04-13

Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)

Granted

Application number

US11/403,548

Other versions

US8560828B2 (en

Inventor

Christopher Signaoff

Tom Opsahl

Edward Riley

Justin Signaoff

Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)

DirectPacket Research Inc

Original Assignee

DirectPacket Research Inc

Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)

2006-04-13

Filing date

2006-04-13

Publication date

2007-10-18

Family has litigation

First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=38606406&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20070245412(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.

2006-04-13 Application filed by DirectPacket Research Inc filed Critical DirectPacket Research Inc

2006-04-13 Priority to US11/403,548 priority Critical patent/US8560828B2/en

2006-06-12 Assigned to DIRECTPACKET RESEARCH, INC. reassignment DIRECTPACKET RESEARCH, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OPSAHL, TOM W., RILEY, III, EDWARD M., SIGNAOFF, CHRISTOPHER S., SIGNAOFF, JUSTIN S.

2007-04-11 Priority to PCT/US2007/066451 priority patent/WO2007121255A2/en

2007-10-18 Publication of US20070245412A1 publication Critical patent/US20070245412A1/en

2011-04-29 Assigned to DIRECTPACKET, INC. reassignment DIRECTPACKET, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: DIRECTPACKET RESEARCH, INC.

2011-08-05 Assigned to DIRECTPACKET RESEARCH, INC. reassignment DIRECTPACKET RESEARCH, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DIRECTPACKET, INC.

2013-10-15 Application granted granted Critical

2013-10-15 Publication of US8560828B2 publication Critical patent/US8560828B2/en

Status Active legal-status Critical Current

2033-02-01 Adjusted expiration legal-status Critical

Images

Classifications

- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses

Definitions

the present invention relates, in general, to electronic communications, and, more specifically, to the architecture of a multimedia communication system.
Firewalls which can be software, hardware, or a combination of both, are used in modern networks to screen out unwanted or malicious traffic.
One of many techniques a firewall may use is packet filtering, wherein the firewall determines whether or not to allow individual packets by analyzing information in the packet header (such as the Internet Protocol (IP) address and port of the source and destination).
IP Internet Protocol
IP addresses may be blocked to minimize the risk of allowing malicious traffic into an important computer network or system.
Another more advanced technique is called stateful inspection, wherein in addition to analyzing header information, a firewall keeps track of the status of any connection opened by network devices behind the firewall.
firewalls especially those used by large corporations generally only allow traffic from the well-known ports, though such firewalls may be specially configured to allow traffic on any port.
firewalls For multimedia communication systems that use multiple registered and dynamic ports, firewalls (unless specially configured) will generally block the data traffic on these ports between multimedia systems, thus, preventing communication.
TCP/IP Transmission Control Protocol/Internet Protocol
TCP/IP is the transport protocol of the internet.
One mechanism used to handle IP addresses is the TCP/IP port system.
a port is a sixteen bit integer, the value of which falls into one of three ranges: the well-known ports, ranging from 0 through 1023; the registered ports, ranging from 1024 through 49151; and the dynamic and/or private ports, ranging from 49152 through 65535.
the well-known ports are reserved for assignment by the Internet Corporation for Assigned Names and Numbers (ICANN) for use by applications that communicate using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and generally can only be used by a system/root process or by a program run by a privileged user.
ICANN Assigned Names and Numbers
the registered ports may be registered for use by companies or other individuals for use by applications that communicate using TCP or UDP.
the dynamic or private ports by definition, cannot be officially registered nor are they assigned.
a TCP/IP port is typically assigned to user sessions and server applications in an IP network. Destination ports are generally used to route packets on a server to the appropriate network application. Thus, some ports are typically associated with particular internet applications. For example, port 80 is the standard port for Hypertext Transport Protocol (HTTP), while port 443 is the standard port for Secure HTTP (HTTPS). HTTP and HTTPS traffic may validly communicate over other ports; however ports 80 and 443 have been assigned as default ports for handling HTTP and HTTPS traffic, respectively.
Routers and firewalls typically analyze the port numbers of the incoming data packets to determine how each packet should be handled. Routers review the port number to determine where to route the packet next. When using packet filtering methods, firewalls will review the port numbers to determine whether or not packets from that particular port represent traffic that is known to potentially contain a security threat. If a threat is indicated for that particular port, the packet will be dropped.
NAT Network Address Translation
VoIP Voice over IP
POTS Plain Old Telephone System
PSTN Publicly Switched Telephone Network
SIP Session Initiation Protocol
H.323 H.323 are two examples of such protocols that have been defined for handling the administration of VoIP, and its natural extension to multimedia communication.
H.323 is a multimedia conferencing protocol, which includes voice, video, and data conferencing, for use over packet-switched networks.
SIP is a signaling protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. While these protocols allow for efficient management of IP-based communication, they run into serious problems when encountering firewalls and NAT systems.
each endpoint inside the system does not have a static IP address. Therefore, during setup of point-to-point communication, it is difficult to map out the connection because the target endpoint does not have a fixed, known IP address.
the NAT server only provides an IP address when the internal endpoint needs one. Part of the header information in an H.323 or SIP data packet is the destination address. This information may be difficult to know when the NAT server has not assigned an IP address to a specific endpoint or considering that what IP address is assigned for a first call may not be the same IP addressed assigned for a subsequent call to the same endpoint.
FIG. 1 is a block diagram illustrating a typical complex architecture of IP communication system 10 .
IP communication system 10 implements a multimedia communication system over the IP protocol. Communication in IP communication system 10 is limited by firewalls 100 and 101 . Communication begins with the video and audio captured at endpoint 102 . Using a multimedia transport protocol, such as H.323, SIP, or the like, multiple ports are selected by endpoint 102 to effect communication of the multimedia data. Endpoint 102 is connected to gatekeeper 103 , which is still behind firewall 100 .
a multimedia transport protocol such as H.323, SIP, or the like
Gatekeepers 103 and 107 are special gatekeepers that include proprietary code for establishing a connection over Internet 11 with base controller 106 , which is located outside of firewalls 100 and 101 .
Base controller 106 also includes proprietary code that operates in connection with the code on gatekeepers 103 and 107 .
gatekeepers 103 and 107 are registered with base controller 106 , such that a known communication setup routine has already been established between them.
Firewalls 100 and 101 are modified to open a certain number of specific ports for all communications from gatekeeper 103 .
the firewall technicians maintaining firewalls 100 and 101 work with the provider of IP communication system 10 on installation to identify the specific ports that communication channels 105 will be transmitted over. Once those ports are opened, IP communication may occur over channels 105 .
Gatekeepers 103 and 107 also provide for converting communication streams that may originate for different ports into channels 105 .
monitor 102 communicates using H.323 which uses communication channels 104 .
Gatekeeper 103 shifts the data from communication channels 104 over to communication channels 105 in order to traverse firewall 100 .
IP communication system 10 may also include special communication equipment, such as communication unit 109 , which includes special proprietary code specifically developed for use in IP communication system 10 .
communication unit 109 is also registered with base controller 106 and packages all communication streams into channels 105 to traverse firewall 100 using the specified ports.
a user at communication unit 109 may establish IP communication with a user at endpoint 108 without first connecting to gatekeeper 103 .
Examples of such systems configured similar to IP communication system 10 are provided by companies such as TANDBERG and the like. The limitation of such systems is that holes are still opened in the firewalls. There is nothing already in the security provisions of the firewalls that would prevent hostile traffic from entering through the ports that are opened to implement IP communication system 10 .
FIG. 2 is a block diagram illustrating IP communication system 20 .
IP communication system 20 is configured to allow various levels of IP communication between individuals located at entity site 200 , remote entity site 210 , and home site 217 .
IP communication system 20 is implemented using a base server, communication server 203 , in communication with individual client instances, clients 204 , 209 , and 212 .
communication server 203 is placed in the middle-network zone, DMZ 218 , which is the sub-network that sits between the trusted network of entity site 200 and Internet 11 .
DMZ 218 is the middle-network zone
Many network components or servers that have direct connectability to Internet 11 are situated within DMZ 218 .
DMZ 218 also contains e-mail server 215 , Web server 216 , and the like.
DMZ 218 is typically delimited by the private network firewall, such as private firewall 201 , and an Internet firewall, such as Internet firewall 202 .
Internet firewall 202 maintains more open ports that are typically useful in receiving Internet-driven communication, such as email, Web-requests, and the like, while private firewall 201 is much more restrictive in the ports that it allows to have access into the private network of entity site 200 .
endpoints 205 and 206 each establish connections to client 204 .
Client 204 receives all of the communication streams directed to different ports, multi-port communications 207 , and multiplexes those different communication streams into a single stream directed to a single port, single port data stream 208 .
the firewall administrators designate a single, specific port in both private firewall 201 and Internet firewall 202 for accepting data packets.
Client 204 then transmits the multiplexed communication over single port data stream 208 to communication server 203 via private firewall 201 .
Communication server 203 will then transmit the multiplexed communication to the targeted endpoint at either one or both of remote entity site 210 and home site 217 .
endpoints 213 and 214 communicate with client 212 , which multiplexes the communications on multi-port communications 207 into a single port stream on single port data stream 208 .
Client 212 then transmits the multiplexed communication stream through remote firewall 211 and Internet firewall 202 to communication server 203 .
the communication stream from client 212 comes into Internet firewall 202 addressed to the specific port designated for the IP communication.
Internet firewall 202 therefore, lets the data packets through to communication server 203 .
Communication server 203 is then able to transmit the communication stream to client 204 through private firewall 201 .
FIG. 3 is a block diagram illustrating IP communication system 30 .
IP communication system 30 Instead of opening up new holes in firewalls 300 and 301 , or using any existing open ports, IP communication system 30 simply goes around the company firewall, e.g., firewalls 300 and 301 .
IP communication system 30 connects to Internet 11 using a standard, non-secure Internet connection, connection 304 .
IP communication system 20 comprises endpoints 302 and 303 that include proprietary code enabling IP communication to be established over connection 304 . Because neither connection 304 nor the communication equipment (i.e., endpoints 302 and 303 ) are connected into the users systems, there is little danger that any faults or malevolent traffic will jeopardize the system.
the present invention is directed to a system and method for managing a communication system.
the system is made up of several communication communities that provide communication between each of the various endpoints connected into the community and also allows for the individual communities to inter-communicate with the other communities in the communication network.
a communication request is received at an external controller from a first controller behind a firewall.
the first controller connects to multiple endpoints provided for users.
a communication channel is established between the first controller and the external controller after the external controller has authenticated or verified the identification of the first controller.
a second communication channel is opened between the external controller and at least one other controller behind another firewall, where the other controller is connected to a single communication endpoint.
the community/sub-community in selected embodiments of the present invention, there is at least one controller that services multiple endpoints and at least one other controller that is dedicated for a single endpoint.
Multimedia communication data is transmitted between the first controller and the other controller where the multimedia data passes through the external controller.
This multimedia communication data is distributed to the communication endpoints, including the single communication endpoint, that are connected to or participating in the particular communication session.
the various additional representative embodiments of the present invention also include inter-communication between the communities/sub-communities described above.
Communication in the first community is established as described above: the endpoint requests communication from the internal controller, which makes that request outside of the firewall to the external controller.
Communication in any other communication community is also established similarly.
Another endpoint requests communication to the internal controller that it is connected to, which then makes that request outside of its firewall to the other external controller.
a communication channel is open between the other endpoint and the other external controller.
another communication connection is established between the two external communication controllers of the different communities. The communication data would then be transmitted between the two controllers through that connection.
FIG. 1 is a block diagram illustrating a typical complex architecture of an IP communication system
FIG. 2 is a block diagram illustrating another IP communication system
FIG. 3 is a block diagram illustrating another IP communication system
FIG. 4 is a block diagram illustrating a communication community configured according to one embodiment of the present invention.
FIG. 5 is a block diagram illustrating an extended communication community configured according to one embodiment of the present invention.
FIG. 6 is a flowchart illustrating example steps executed in implementing one embodiment of the present invention.
FIG. 7 is a flowchart illustrating example steps executed in implementing one embodiment of the present invention.
FIG. 8 is a block diagram illustrating a communication environment configured according to one embodiment of the present invention.
FIG. 4 is a block diagram illustrating communication community 40 configured according to one embodiment of the present invention.
Communication community 40 establishes a reliable multimedia communication system between multiple locations and multiple users at those different locations.
principal office 400 is the principal business location for a company.
Satellite office 401 is a branch office located in a suburb of the city where principal office 400 is located.
Travel office 402 is a hotel room across the country where the company's CEO is attending a company meeting.
Communication community 40 allows the company CEO to establish connection into the community from where ever he is located and has access to Internet 11 .
Principal office 400 includes multiple endpoints, 403 - 406 , such as telephones, computer terminals, and the like, that are configured for multimedia communication.
Each of multiple endpoints 403 - 406 is connected to backend controller 407 .
Backend controller 407 manages the communication interactions with endpoints 403 - 406 and allows the communication to be transmitted to switch 408 and firewall 409 and eventually out to Internet 11 and front end controller 410 .
each of the components is registered with the other.
each of backend controllers 407 and 416 registers with front end controller 410 . This process may be performed during initial system setup by Information Technology (IT) professionals.
Backend 420 is also registered with front end controller 410 . However, because backend 420 is a portable unit, once registered, various individuals may use backend 420 to establish verified connections into communication community 40 from remote, temporary locations. Again, the registration procedure for backend 420 may also be performed by IT professionals.
Each endpoint, endpoints 403 - 406 , 412 - 415 , and 419 may also register with their associated backend controller.
back end controller 407 may be configured according to various multimedia communication protocols and systems.
One example of such a system is described in technology covered by co-pending, commonly owned, U.S. patent application Ser. No. XX/XXX,XXX, Attorney Docket No. 69936-P001US-10601228, entitled, “SYSTEM AND METHOD FOR TRAVERSING A FIREWALL WITH MULTIMEDIA COMMUNICATION.”
Such technology converts multiport transport protocols, such as H.323, SIP, and the like, into a single port transport protocol that can easily traverse firewalls with valid, standard single-port traffic.
Front end controller 410 is located outside of firewall 409 . It has an address, which can be an IP address, a Uniform Resource Locator (URL), or the like, that is known specifically by back end 407 . Moreover, front end controller 410 maintains a security table that allows it to selectively connect with only those backend controllers that have a valid security key. For example, endpoint 406 desires to make a video call to another party within communication community 40 . Backend controller 407 knows the address for front end controller 410 . In order to initiate the communication, backend controller 407 transmits a request through switch 408 and firewall 409 to the specific address of front end controller 410 for such communication. Along with the request, backend controller 407 also sends a security key.
URL Uniform Resource Locator
front end controller 410 When front end controller 410 receives the request and the key, it first verifies and authenticates the key to make sure that the component requesting access is a valid and authorized component. Once it is authenticated as a valid backend, the request for communication is opened and the multimedia communication stream will be managed by front end controller 410 between endpoint 406 and it's destination address.
Satellite location 401 includes endpoints 412 - 415 , backend controller 416 , switch 417 , and firewall 411 .
Travel office 402 includes a single endpoint, endpoint 419 , backend controller 420 , and router 421 , which may be the high speed modem found in the CEO's hotel room.
the hotel Internet system also provides firewall 418 .
the configuration of communication community 40 that joins each of principal office 400 , satellite office 401 , and travel office 402 provides a unique communication system architecture.
the key components of this system of communication community 40 include the backends located behind each firewall, backend controllers 407 , 416 , and 420 , where backend 420 provides only for a single endpoint connection; front end controller 410 , which facilitates the communication by providing a known component outside of the firewalls that has a known connection pipe to each of backend controllers 407 , 416 , and 420 ; and endpoints 403 - 406 , 412 - 415 , and 419 , which provide the multimedia communication devices for the communication.
each location other than travel office 402 could have different numbers of endpoints connected thereto depending on the capacity of the associated backend controller.
each location may be separated by any distance, as long as the endpoints or backends can access Internet 11 . Such access may be accommodated through wired connections or wireless connections to any of the points within the system.
FIG. 5 is a block diagram illustrating expanded communication community (ECC) 50 configured according to one embodiment of the present invention.
ECC 50 creates a scaled communication network by combining or joining the communication capabilities of several communication sub-systems into a single expanded community.
communication community 40 as described in FIG. 4 , is noted in ECC 50 as being located in New York. It is joined with communication community 51 and 52 located in London and Brazil, respectively.
Each member state (i.e., communication communities 40 , 51 , and 52 ) of ECC 50 is at once an autonomous communication system and a shared communication system facilitating multimedia communication between endpoints in Brazil, London, and New York.
backend controllers 407 , 416 , and 420 with front end controller 410 facilitates communication in New York, while the association of backend controllers 501 - 503 with front end controller 500 facilitates communication in London, and the association of backend controllers 505 - 507 with front end controller 504 facilitates communication in Brazil.
backend controller 416 When a user with an endpoint connected to backend controller 416 desires to participate in multimedia communication, such as a video conference, with a user with an endpoint connected to backend controller 503 in London, backend controller 416 requests to initiate communication with front end controller 410 with the identification information from the New York user's endpoint. After verifying and authenticating the security key transmitted over Internet 11 by backend controller 416 , front end controller 410 opens a communication channel between itself and backend controller 416 . The communication request information from the New York endpoint transmitted by backend controller 416 to front end 410 includes the destination address of the London endpoint. Front end 410 recognizes that the destination endpoint does not reside within its communication community 40 . Using a communication table stored with front end controller 410 , front end controller 410 looks up the address to initiate communications with the London endpoint. Front end controller transmits a communication request to front end 500 within communication community 51 that includes a security key and other identification information.
front end controller 500 Upon receipt of the communication request from front end controller 410 , front end controller 500 verifies and authenticates the security key just as it would when receiving a communication request from any of backend controllers 501 - 503 . In fact, when any of front end controllers 410 , 500 , and 504 receive communication requests from any other front end controller, it views that request as being from any other backend controller.
the front end controllers make no distinction between communication from front end controllers or backend controllers.
Front end controller 500 When front end controller 500 authenticates and verifies the communication request from front end controller 410 , a communication path is opened between the two. Front end controller 500 also will use the address of the London endpoint to establish communication with backend controller 503 and then, subsequently, with the destination endpoint. Once the communication lines have been established between the New York and London endpoints, the New York and London users may communicate using multimedia data, such as with video, audio, and data.
FIG. 6 is a flowchart illustrating example steps executed to implement one embodiment of the present invention.
a communication request is received at an external controller from a first controller behind a firewall, where the controller is connected to a plurality of communication endpoints.
a communication channel is established, in step 601 , between the controller and the external controller.
a second communication channel is opened, in step 602 , between the external controller and at least one other controller behind another firewall, where the other controller is connected to a single communication endpoint.
multimedia communication data is transmitted between the first controller and the other controller where the multimedia data passes through the external controller.
the multimedia communication data is distributed, in step 604 , to the selected communication endpoints including the single communication endpoint.
FIG. 7 is a flowchart illustrating example steps executed to implement one embodiment of the present invention.
a first communication connection is established between a first internal controller behind a firewall and a first external controller in a first communication community, where a local communication device connected to the first internal controller initiates a first communication request.
a second communication connection is established, in step 701 , between a second internal controller behind a second firewall and a second external controller in a second communication community, where a remote communication device connected to the second internal controller initiates a second communication request.
a third communication connection is established, in step 703 , between the first and second external communication controllers.
communication data is transmitted between the first and second communication communities through the third communication connection.
FIG. 8 is a block diagram illustrating communication environment 80 configured according to one embodiment of the present invention.
Communication environment 80 is made up of several sub-communities: Dallas communication community (DCC) 81 , Austin communication community (ACC) 82 , Tokyo communication community (TCC) 83 , and Prague communication community (PCC) 84 .
DCC Dallas communication community
ACC Austin communication community
TCC Tokyo communication community
PCC Prague communication community
each of the different sub-communities is capable of acting as its own autonomous communication community.
the embodiment described in FIG. 8 includes a hierarchical relationship amount the various communities and, more specifically, the front end controllers.
the front end controller for DCC 81 front end controller 800
a super controller as contemplated and described for the embodiment described in FIG. 8 , is the main front end controller and operates as the communication conduit for the other sub-communities. While front end controller 800 facilitates data transfer between the backend controllers within DCC 81 , backend controllers 801 - 803 , it also facilitates data transfer between the backend controllers of ACC 82 , backend controllers 807 - 809 ; TCC 83 , backend controllers 810 - 812 ; and PCC 84 , backend controllers 813 - 815 .
a user at endpoint 816 desires to enter a video conference.
the connection at endpoint 816 requesting to enter into the video conference causes backend controller 808 to transmit a communication request to front end controller 806 over Internet 11 .
Users at endpoint 818 in Tokyo, and endpoint 817 , in Prague, also desire to participate in the video conference.
the video conference requests from endpoint 817 and 818 cause backend controllers 813 and 811 , respectively, to transmit communication requests to front end controllers 805 and 804 , respectively.
front end controllers 804 - 806 After authenticating and verifying the security keys transmitted by each of backend controllers 808 , 811 , and 813 , front end controllers 804 - 806 open communication channels within ACC 82 , TCC 83 , and PCC 84 . However, because the users within the different sub-communities are to be on the same video conference, the video data will be shared across the community borders of ACC 32 , TCC 83 , and PCC 84 .
front end controllers 804 - 806 transmit the multimedia data to each other through the super controller, front end controller 800 .
Each of front end controllers 804 - 806 is configured to establish a communication connection with front end controller 800 whenever a destination address is located outside of its sub-community.
front end controller 804 transmits a communication request to front end controller 800 .
Front end controller 800 verifies and authenticates the security key transmitted from front end controller 804 and, once verified, the communication channel is opened.
Front end controller 800 uses destination information for the video conference to open communication channels between itself and front end controller 805 , to facilitate delivery and receipt of the video conference data to endpoint 817 in PCC 84 , and front end controller 806 , to facilitate delivery and receipt of the video conference data to endpoint 816 in ACC 82 .
a similar process is used when communication channels are to be set up between front end controllers 805 and 806 and front end controller 800 .
the super controller, front end controller 800 may be configured to receive data and open communications channels only with specific network elements, such as with backend controllers 801 - 803 and front end controllers 804 - 806 . By limiting the authorized network elements that may contact the super controller, the risk of unauthorized access to communication environment 80 is diminished.
all front end controllers may be configured to communicate with specific network devices. As noted above, limiting the pool of potential devices that may access any particular front end controller, greatly reduces the risk of unauthorized access.

Landscapes

Engineering & Computer Science (AREA)
Computer Networks & Wireless Communication (AREA)
Signal Processing (AREA)
Data Exchanges In Wide-Area Networks (AREA)
Computer And Data Communications (AREA)

Abstract

A communication system is made up of several communication communities. Each community provides for communication between the endpoints connected into that community by connecting the endpoints and communication controllers located behind a firewall with an external communication controller outside of the firewall. In selected embodiments, such a community may be configured to connect an internal controller that is connected to a plurality of endpoints with another controller that is designed for connection to only one endpoint. When communication is desired outside of the individual communities, the external controller for that community establishes a connection with the external controller for the desired community. Once established, the communication data can be transmitted across community borders. In some embodiments, there may be a central external controller that is in communication with each of the external controllers for the other individual communities. In such embodiments, all inter-community communication will pass through that central controller.

Description

The present application is related to concurrently filed, co-pending and commonly assigned U.S. patent application Ser. No. XX/XXX,XXX, Attorney Docket No. 69936-P001US-10601228, entitled “SYSTEM AND METHOD FOR TRAVERSING A FIREWALL WITH MULTIMEDIA COMMUNICATION”, the disclosure of which are hereby incorporated herein by reference.
The present invention relates, in general, to electronic communications, and, more specifically, to the architecture of a multimedia communication system.
In today's connected electronic society, the technology and know-how to create a completely connected electronic global system has been available and in practice at various levels. However, the utopian ideas of complete and unfettered connectivity are seriously undermined by the electronic “outlaws.” Computer viruses, industrial and national spying, information theft, and the like place real dollar risks to maintaining completely free connectivity. Because a genuine need exists for certain computer systems to be connected into the public domain, such as through the public or commodity internet, technology has been developed to provide various levels of protection from computer-based mischief.
One such technology used to minimize the risks for computer-based mischief is a firewall. Firewalls, which can be software, hardware, or a combination of both, are used in modern networks to screen out unwanted or malicious traffic. One of many techniques a firewall may use is packet filtering, wherein the firewall determines whether or not to allow individual packets by analyzing information in the packet header (such as the Internet Protocol (IP) address and port of the source and destination). Thus, various ports (defined below) or IP addresses may be blocked to minimize the risk of allowing malicious traffic into an important computer network or system. Another more advanced technique is called stateful inspection, wherein in addition to analyzing header information, a firewall keeps track of the status of any connection opened by network devices behind the firewall. Deciding whether or not a packet is dropped in a stateful inspection is based on the tracked status of the connection and information from within the packet header. In practice, firewalls (especially those used by large corporations) generally only allow traffic from the well-known ports, though such firewalls may be specially configured to allow traffic on any port. For multimedia communication systems that use multiple registered and dynamic ports, firewalls (unless specially configured) will generally block the data traffic on these ports between multimedia systems, thus, preventing communication.
In communications over the commodity internet, much of the communication occurs using Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is the transport protocol of the internet. One mechanism used to handle IP addresses is the TCP/IP port system. A port is a sixteen bit integer, the value of which falls into one of three ranges: the well-known ports, ranging from 0 through 1023; the registered ports, ranging from 1024 through 49151; and the dynamic and/or private ports, ranging from 49152 through 65535. The well-known ports are reserved for assignment by the Internet Corporation for Assigned Names and Numbers (ICANN) for use by applications that communicate using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and generally can only be used by a system/root process or by a program run by a privileged user. The registered ports may be registered for use by companies or other individuals for use by applications that communicate using TCP or UDP. The dynamic or private ports, by definition, cannot be officially registered nor are they assigned.
A TCP/IP port is typically assigned to user sessions and server applications in an IP network. Destination ports are generally used to route packets on a server to the appropriate network application. Thus, some ports are typically associated with particular internet applications. For example,
port
80 is the standard port for Hypertext Transport Protocol (HTTP), while port 443 is the standard port for Secure HTTP (HTTPS). HTTP and HTTPS traffic may validly communicate over other ports; however
ports
80 and 443 have been assigned as default ports for handling HTTP and HTTPS traffic, respectively. Routers and firewalls typically analyze the port numbers of the incoming data packets to determine how each packet should be handled. Routers review the port number to determine where to route the packet next. When using packet filtering methods, firewalls will review the port numbers to determine whether or not packets from that particular port represent traffic that is known to potentially contain a security threat. If a threat is indicated for that particular port, the packet will be dropped.
Many such firewalls use packet filtering to protect the underlying system. Thus, the ports that typical carry unpredictable packets are usually closed to traffic. In operation, a large number of ports are closed by default. These closed port ranges are usually associated with data traffic for applications that are unpredictable or known to carry undesirable traffic.
Another technique used by some firewalls and many other networking components to interface private or sub-networks with the commodity internet is Network Address Translation (NAT). NAT typically uses a single public IP address for the network interface, but then assigns individual clients on the private or sub-network a dynamic IP address that is selected from a group of private IP addresses for that particular private network or sub-network. NAT has extended the IP address technique beyond its finite number of addresses. However, the translation of addresses becomes a very complicated process when attempting to connect one endpoint to another behind a NAT system.
The use of firewalls and NAT to secure and administer networks has allowed an increase in overall connectivity, while improving the security of those networks. However, with this increased security, adapting to advances in communication technology is hampered. Voice over IP (VoIP) is becoming a popular alternative to the traditional Plain Old Telephone System (POTS) and the Publicly Switched Telephone Network (PSTN). In order to implement VoIP, though, new transmission protocols were developed to handle the specific needs of such system. Session Initiation Protocol (SIP) and H.323 are two examples of such protocols that have been defined for handling the administration of VoIP, and its natural extension to multimedia communication.
H.323 is a multimedia conferencing protocol, which includes voice, video, and data conferencing, for use over packet-switched networks. SIP is a signaling protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. While these protocols allow for efficient management of IP-based communication, they run into serious problems when encountering firewalls and NAT systems.
Many communication protocols, including H.323 and SIP, use multiple different ports that can be selected dynamically as the session is initiated. The problem arises because the majority of these ports are closed in typical firewall installations. Therefore, in order to accommodate any type of IP-based communications, large numbers of ports would need to be opened in the firewall. If too many ports remain open, any given entity would risk exposure to potentially harmful unauthorized intrusion.
In NAT systems, each endpoint inside the system does not have a static IP address. Therefore, during setup of point-to-point communication, it is difficult to map out the connection because the target endpoint does not have a fixed, known IP address. The NAT server only provides an IP address when the internal endpoint needs one. Part of the header information in an H.323 or SIP data packet is the destination address. This information may be difficult to know when the NAT server has not assigned an IP address to a specific endpoint or considering that what IP address is assigned for a first call may not be the same IP addressed assigned for a subsequent call to the same endpoint.
To address this problem of firewall traversal and NAT, companies have designed various solutions from complex systems to simple workarounds.
FIG. 1
is a block diagram illustrating a typical complex architecture of
IP communication system
10.
IP communication system
10 implements a multimedia communication system over the IP protocol. Communication in
IP communication system
10 is limited by
firewalls
100 and 101. Communication begins with the video and audio captured at
endpoint
102. Using a multimedia transport protocol, such as H.323, SIP, or the like, multiple ports are selected by
endpoint
102 to effect communication of the multimedia data.
Endpoint
102 is connected to
gatekeeper
103, which is still behind
firewall
100.
Gatekeepers
103 and 107 are special gatekeepers that include proprietary code for establishing a connection over
Internet
11 with
base controller
106, which is located outside of
firewalls
100 and 101.
Base controller
106 also includes proprietary code that operates in connection with the code on
gatekeepers
103 and 107. In operation,
gatekeepers
103 and 107 are registered with
base controller
106, such that a known communication setup routine has already been established between them.
Firewalls
100 and 101 are modified to open a certain number of specific ports for all communications from
gatekeeper
103. The firewall
technicians maintaining firewalls
100 and 101 work with the provider of
IP communication system
10 on installation to identify the specific ports that
communication channels
105 will be transmitted over. Once those ports are opened, IP communication may occur over
channels
105.
Gatekeepers
103 and 107 also provide for converting communication streams that may originate for different ports into
channels
105. For example, monitor 102 communicates using H.323 which uses
communication channels
104.
Gatekeeper
103 shifts the data from
communication channels
104 over to
communication channels
105 in order to traverse
firewall
100.
IP communication system
10 may also include special communication equipment, such as
communication unit
109, which includes special proprietary code specifically developed for use in
IP communication system
10. When using this special equipment, a user is able to connect to
base controller
106 without first connecting to
gatekeeper
103.
Communication unit
109 is also registered with
base controller
106 and packages all communication streams into
channels
105 to traverse
firewall
100 using the specified ports. Thus, a user at
communication unit
109 may establish IP communication with a user at
endpoint
108 without first connecting to
gatekeeper
103. Examples of such systems configured similar to
IP communication system
10 are provided by companies such as TANDBERG and the like. The limitation of such systems is that holes are still opened in the firewalls. There is nothing already in the security provisions of the firewalls that would prevent hostile traffic from entering through the ports that are opened to implement
IP communication system
10.
FIG. 2
is a block diagram illustrating
IP communication system
20.
IP communication system
20 is configured to allow various levels of IP communication between individuals located at
entity site
200,
remote entity site
210, and
home site
217.
IP communication system
20 is implemented using a base server,
communication server
203, in communication with individual client instances,
clients
204, 209, and 212. At
entity site
200,
communication server
203 is placed in the middle-network zone,
DMZ
218, which is the sub-network that sits between the trusted network of
entity site
200 and
Internet
11. Many network components or servers that have direct connectability to
Internet
11 are situated within
DMZ
218. For example, in addition to
communication server
203,
DMZ
218 also contains
e-mail server
215,
Web server
216, and the like.
DMZ
218 is typically delimited by the private network firewall, such as
private firewall
201, and an Internet firewall, such as
Internet firewall
202.
Internet firewall
202 maintains more open ports that are typically useful in receiving Internet-driven communication, such as email, Web-requests, and the like, while
private firewall
201 is much more restrictive in the ports that it allows to have access into the private network of
entity site
200.
When IP communication is desired,
endpoints
205 and 206 each establish connections to
client
204.
Client
204 receives all of the communication streams directed to different ports,
multi-port communications
207, and multiplexes those different communication streams into a single stream directed to a single port, single
port data stream
208. In setting up
IP communication system
20, the firewall administrators designate a single, specific port in both
private firewall
201 and
Internet firewall
202 for accepting data packets.
Client
204 then transmits the multiplexed communication over single
port data stream
208 to
communication server
203 via
private firewall
201.
Communication server
203 will then transmit the multiplexed communication to the targeted endpoint at either one or both of
remote entity site
210 and
home site
217. Similarly,
endpoints
213 and 214 communicate with
client
212, which multiplexes the communications on
multi-port communications
207 into a single port stream on single
port data stream
208.
Client
212 then transmits the multiplexed communication stream through
remote firewall
211 and
Internet firewall
202 to
communication server
203. The communication stream from
client
212 comes into
Internet firewall
202 addressed to the specific port designated for the IP communication.
Internet firewall
202, therefore, lets the data packets through to
communication server
203.
Communication server
203 is then able to transmit the communication stream to
client
204 through
private firewall
201.
FIG. 3
is a block diagram illustrating IP communication system 30. Instead of opening up new holes in
firewalls
300 and 301, or using any existing open ports, IP communication system 30 simply goes around the company firewall, e.g., firewalls 300 and 301. IP communication system 30 connects to
Internet
11 using a standard, non-secure Internet connection,
connection
304.
IP communication system
20 comprises
endpoints
302 and 303 that include proprietary code enabling IP communication to be established over
connection
304. Because neither
connection
304 nor the communication equipment (i.e.,
endpoints
302 and 303) are connected into the users systems, there is little danger that any faults or malevolent traffic will jeopardize the system. However, implementing a totally separate system does not take advantage of the benefits that can be attributed to using the entity's protected, backend system. An example of such a system that addresses the firewall and NAT problem by completely by-passing the company's protected, backend system are video conferencing systems from Polycom, Inc.
The present invention is directed to a system and method for managing a communication system. The system is made up of several communication communities that provide communication between each of the various endpoints connected into the community and also allows for the individual communities to inter-communicate with the other communities in the communication network. In establishing the communication configuration in one of the communities/sub-communities, a communication request is received at an external controller from a first controller behind a firewall. The first controller connects to multiple endpoints provided for users. A communication channel is established between the first controller and the external controller after the external controller has authenticated or verified the identification of the first controller. A second communication channel is opened between the external controller and at least one other controller behind another firewall, where the other controller is connected to a single communication endpoint. In the configuration of the community/sub-community in selected embodiments of the present invention, then, there is at least one controller that services multiple endpoints and at least one other controller that is dedicated for a single endpoint. Multimedia communication data is transmitted between the first controller and the other controller where the multimedia data passes through the external controller. This multimedia communication data is distributed to the communication endpoints, including the single communication endpoint, that are connected to or participating in the particular communication session.
The various additional representative embodiments of the present invention also include inter-communication between the communities/sub-communities described above. Communication in the first community is established as described above: the endpoint requests communication from the internal controller, which makes that request outside of the firewall to the external controller. Communication in any other communication community is also established similarly. Another endpoint requests communication to the internal controller that it is connected to, which then makes that request outside of its firewall to the other external controller. Once everything is verified, a communication channel is open between the other endpoint and the other external controller. When either of the communication requests request communication between endpoints located in the separate communities, another communication connection is established between the two external communication controllers of the different communities. The communication data would then be transmitted between the two controllers through that connection.
The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention. It should be appreciated by those skilled in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. The novel features which are believed to be characteristic of the invention, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present invention.
For a more complete understanding of the present invention, reference is now made to the following descriptions taken in conjunction with the accompanying drawing, in which:
FIG. 1
is a block diagram illustrating a typical complex architecture of an IP communication system;
FIG. 2
is a block diagram illustrating another IP communication system;
FIG. 3
is a block diagram illustrating another IP communication system;
FIG. 4
is a block diagram illustrating a communication community configured according to one embodiment of the present invention;
FIG. 5
is a block diagram illustrating an extended communication community configured according to one embodiment of the present invention;
FIG. 6
is a flowchart illustrating example steps executed in implementing one embodiment of the present invention;
FIG. 7
is a flowchart illustrating example steps executed in implementing one embodiment of the present invention; and
FIG. 8
is a block diagram illustrating a communication environment configured according to one embodiment of the present invention.
FIG. 4
is a block diagram illustrating
communication community
40 configured according to one embodiment of the present invention.
Communication community
40 establishes a reliable multimedia communication system between multiple locations and multiple users at those different locations. For purposes of this example,
principal office
400 is the principal business location for a company.
Satellite office
401 is a branch office located in a suburb of the city where
principal office
400 is located.
Travel office
402 is a hotel room across the country where the company's CEO is attending a company meeting.
Communication community
40 allows the company CEO to establish connection into the community from where ever he is located and has access to
Internet
11.
The features of
communication community
40 are implemented by the system architecture operating at each location.
Principal office
400 includes multiple endpoints, 403-406, such as telephones, computer terminals, and the like, that are configured for multimedia communication. Each of multiple endpoints 403-406 is connected to
backend controller
407.
Backend controller
407 manages the communication interactions with endpoints 403-406 and allows the communication to be transmitted to switch 408 and
firewall
409 and eventually out to
Internet
11 and
front end controller
410.
In setting up the components of
communication community
40, each of the components is registered with the other. For example, each of
backend controllers
407 and 416 registers with
front end controller
410. This process may be performed during initial system setup by Information Technology (IT) professionals.
Backend
420 is also registered with
front end controller
410. However, because
backend
420 is a portable unit, once registered, various individuals may use
backend
420 to establish verified connections into
communication community
40 from remote, temporary locations. Again, the registration procedure for
backend
420 may also be performed by IT professionals. Each endpoint, endpoints 403-406, 412-415, and 419 may also register with their associated backend controller. By registering each component to
communication community
40, communication may be more-reliably established because each component is aware of the detailed identification information of the other components in the system.
It should be noted that
back end controller
407 may be configured according to various multimedia communication protocols and systems. One example of such a system is described in technology covered by co-pending, commonly owned, U.S. patent application Ser. No. XX/XXX,XXX, Attorney Docket No. 69936-P001US-10601228, entitled, “SYSTEM AND METHOD FOR TRAVERSING A FIREWALL WITH MULTIMEDIA COMMUNICATION.” Such technology converts multiport transport protocols, such as H.323, SIP, and the like, into a single port transport protocol that can easily traverse firewalls with valid, standard single-port traffic.
Front end controller
410 is located outside of
firewall
409. It has an address, which can be an IP address, a Uniform Resource Locator (URL), or the like, that is known specifically by
back end
407. Moreover,
front end controller
410 maintains a security table that allows it to selectively connect with only those backend controllers that have a valid security key. For example,
endpoint
406 desires to make a video call to another party within
communication community
40.
Backend controller
407 knows the address for
front end controller
410. In order to initiate the communication,
backend controller
407 transmits a request through
switch
408 and
firewall
409 to the specific address of
front end controller
410 for such communication. Along with the request,
backend controller
407 also sends a security key. When
front end controller
410 receives the request and the key, it first verifies and authenticates the key to make sure that the component requesting access is a valid and authorized component. Once it is authenticated as a valid backend, the request for communication is opened and the multimedia communication stream will be managed by
front end controller
410 between
endpoint
406 and it's destination address.
Each of the other locations in
communication community
40 has similar configurations as
principal location
400.
Satellite location
401 includes endpoints 412-415,
backend controller
416,
switch
417, and
firewall
411.
Travel office
402 includes a single endpoint,
endpoint
419,
backend controller
420, and
router
421, which may be the high speed modem found in the CEO's hotel room. The hotel Internet system also provides
firewall
418. The configuration of
communication community
40 that joins each of
principal office
400,
satellite office
401, and
travel office
402 provides a unique communication system architecture. The key components of this system of
communication community
40 include the backends located behind each firewall,
backend controllers
407, 416, and 420, where
backend
420 provides only for a single endpoint connection;
front end controller
410, which facilitates the communication by providing a known component outside of the firewalls that has a known connection pipe to each of
backend controllers
407, 416, and 420; and endpoints 403-406, 412-415, and 419, which provide the multimedia communication devices for the communication. By providing these components both in front of and behind the various firewalls,
communication community
40 provides a robust, secure, and highly scalable communication system.
It should be noted that in various additional or alternative embodiments of the present invention, each location other than
travel office
402 could have different numbers of endpoints connected thereto depending on the capacity of the associated backend controller. Moreover, each location may be separated by any distance, as long as the endpoints or backends can access
Internet
11. Such access may be accommodated through wired connections or wireless connections to any of the points within the system.
FIG. 5
is a block diagram illustrating expanded communication community (ECC) 50 configured according to one embodiment of the present invention.
ECC
50 creates a scaled communication network by combining or joining the communication capabilities of several communication sub-systems into a single expanded community. For example,
communication community
40, as described in
FIG. 4
, is noted in
ECC
50 as being located in New York. It is joined with
communication community
51 and 52 located in London and Brazil, respectively. Each member state (i.e.,
communication communities
40, 51, and 52) of
ECC
50 is at once an autonomous communication system and a shared communication system facilitating multimedia communication between endpoints in Brazil, London, and New York. The association of
backend controllers
407, 416, and 420 with
front end controller
410 facilitates communication in New York, while the association of backend controllers 501-503 with
front end controller
500 facilitates communication in London, and the association of backend controllers 505-507 with
front end controller
504 facilitates communication in Brazil.
When a user with an endpoint connected to
backend controller
416 desires to participate in multimedia communication, such as a video conference, with a user with an endpoint connected to
backend controller
503 in London,
backend controller
416 requests to initiate communication with
front end controller
410 with the identification information from the New York user's endpoint. After verifying and authenticating the security key transmitted over
Internet
11 by
backend controller
416,
front end controller
410 opens a communication channel between itself and
backend controller
416. The communication request information from the New York endpoint transmitted by
backend controller
416 to
front end
410 includes the destination address of the London endpoint.
Front end
410 recognizes that the destination endpoint does not reside within its
communication community
40. Using a communication table stored with
front end controller
410,
front end controller
410 looks up the address to initiate communications with the London endpoint. Front end controller transmits a communication request to
front end
500 within
communication community
51 that includes a security key and other identification information.
Upon receipt of the communication request from
front end controller
410,
front end controller
500 verifies and authenticates the security key just as it would when receiving a communication request from any of backend controllers 501-503. In fact, when any of
front end controllers
410, 500, and 504 receive communication requests from any other front end controller, it views that request as being from any other backend controller. The front end controllers make no distinction between communication from front end controllers or backend controllers.
When
front end controller
500 authenticates and verifies the communication request from
front end controller
410, a communication path is opened between the two.
Front end controller
500 also will use the address of the London endpoint to establish communication with
backend controller
503 and then, subsequently, with the destination endpoint. Once the communication lines have been established between the New York and London endpoints, the New York and London users may communicate using multimedia data, such as with video, audio, and data.
FIG. 6
is a flowchart illustrating example steps executed to implement one embodiment of the present invention. In
step
600, a communication request is received at an external controller from a first controller behind a firewall, where the controller is connected to a plurality of communication endpoints. A communication channel is established, in
step
601, between the controller and the external controller. A second communication channel is opened, in
step
602, between the external controller and at least one other controller behind another firewall, where the other controller is connected to a single communication endpoint. In
step
603, multimedia communication data is transmitted between the first controller and the other controller where the multimedia data passes through the external controller. The multimedia communication data is distributed, in
step
604, to the selected communication endpoints including the single communication endpoint.
FIG. 7
is a flowchart illustrating example steps executed to implement one embodiment of the present invention. In
step
700, a first communication connection is established between a first internal controller behind a firewall and a first external controller in a first communication community, where a local communication device connected to the first internal controller initiates a first communication request. A second communication connection is established, in
step
701, between a second internal controller behind a second firewall and a second external controller in a second communication community, where a remote communication device connected to the second internal controller initiates a second communication request. In response to either communication request requesting communication between the local and remote communication devices, a third communication connection is established, in
step
703, between the first and second external communication controllers. In step 704, communication data is transmitted between the first and second communication communities through the third communication connection.
FIG. 8
is a block diagram illustrating
communication environment
80 configured according to one embodiment of the present invention.
Communication environment
80 is made up of several sub-communities: Dallas communication community (DCC) 81, Austin communication community (ACC) 82, Tokyo communication community (TCC) 83, and Prague communication community (PCC) 84. As with
ECC
50, described in
FIG. 5
, each of the different sub-communities is capable of acting as its own autonomous communication community. However, the embodiment described in
FIG. 8
includes a hierarchical relationship amount the various communities and, more specifically, the front end controllers.
The front end controller for
DCC
81,
front end controller
800, is configured to be a super controller. A super controller, as contemplated and described for the embodiment described in
FIG. 8
, is the main front end controller and operates as the communication conduit for the other sub-communities. While
front end controller
800 facilitates data transfer between the backend controllers within
DCC
81, backend controllers 801-803, it also facilitates data transfer between the backend controllers of
ACC
82, backend controllers 807-809;
TCC
83, backend controllers 810-812; and
PCC
84, backend controllers 813-815.
In operation, a user at
endpoint
816 desires to enter a video conference. The connection at
endpoint
816 requesting to enter into the video conference causes
backend controller
808 to transmit a communication request to
front end controller
806 over
Internet
11. Users at
endpoint
818, in Tokyo, and
endpoint
817, in Prague, also desire to participate in the video conference. The video conference requests from
endpoint
817 and 818
cause backend controllers
813 and 811, respectively, to transmit communication requests to
front end controllers
805 and 804, respectively. After authenticating and verifying the security keys transmitted by each of
backend controllers
808, 811, and 813, front end controllers 804-806 open communication channels within
ACC
82,
TCC
83, and
PCC
84. However, because the users within the different sub-communities are to be on the same video conference, the video data will be shared across the community borders of ACC 32,
TCC
83, and
PCC
84.
Instead of each sub-community communicating directly with the other sub-communities, as reflected in the embodiment described in
FIG. 5
, front end controllers 804-806 transmit the multimedia data to each other through the super controller,
front end controller
800. Each of front end controllers 804-806 is configured to establish a communication connection with
front end controller
800 whenever a destination address is located outside of its sub-community. Thus, once the communication channel is open in
TCC
83 between
endpoint
818 and
front end controller
804,
front end controller
804 transmits a communication request to
front end controller
800.
Front end controller
800 verifies and authenticates the security key transmitted from
front end controller
804 and, once verified, the communication channel is opened.
Front end controller
800 uses destination information for the video conference to open communication channels between itself and
front end controller
805, to facilitate delivery and receipt of the video conference data to
endpoint
817 in
PCC
84, and
front end controller
806, to facilitate delivery and receipt of the video conference data to
endpoint
816 in
ACC
82. A similar process is used when communication channels are to be set up between
front end controllers
805 and 806 and
front end controller
800.
It should be noted that in various additional and alternative embodiments of the present invention, the super controller,
front end controller
800 may be configured to receive data and open communications channels only with specific network elements, such as with backend controllers 801-803 and front end controllers 804-806. By limiting the authorized network elements that may contact the super controller, the risk of unauthorized access to
communication environment
80 is diminished.
It should be noted that in additional and/or alternative embodiments of the present invention, all front end controllers may be configured to communicate with specific network devices. As noted above, limiting the pool of potential devices that may access any particular front end controller, greatly reduces the risk of unauthorized access.
Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the disclosure of the present invention, processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized according to the present invention. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.

Claims (18)

1. A method for a multimedia communication comprising:

receiving at an external controller a communication request from a controller behind a firewall, wherein said controller is connected to a plurality of communication endpoints;

establishing a communication channel between said controller and said external controller;

opening a second communication channel between said external controller and at least one other controller behind another firewall, wherein said at least one other controller is configured to service a single communication endpoint;

transmitting multimedia communication data between said controller and said at least one other controller wherein said multimedia communication data passes through said external controller; and

distributing said multimedia communication data to one or more of said plurality of communication endpoints and said single communication endpoint.

2. The method of

claim 1

further comprising:

verifying said communication request at said external controller.

3. The method of

claim 1

further comprising:

transmitting a security key from said controller to said external controller for authorization of said communication request.

4. The method of

claim 1

further comprising:

sending an external request from said external controller to an additional external controller responsive to said communication request requesting to communicate with an additional endpoint connected to said additional external controller.

5. The method of

claim 4

further comprising:

establishing an external channel between said external controller and said additional external controller; and

forwarding said multimedia communication data to said additional external controller from said external controller; and

distributing said multimedia communication data to said additional endpoint.

6. The method of

claim 1

further comprising:

issuing a central request from said external controller to a central controller responsive to said communication request requesting to communicate with an external endpoint not connected to one or more of said controller and said at least one other controller; and

receiving said multimedia communication data at said central controller.

7. The method of

claim 6

further comprising:

determining a peripheral controller connected to said external endpoint;

opening another external channel between said central controller and said peripheral controller;

forwarding said multimedia communication data to said peripheral controller from said central controller; and

distributing said multimedia communication data to said external endpoint.

8. The method of

claim 6

further comprising:

distributing said multimedia communication data to said external endpoint when said external endpoint is connected to said central controller.

9. A communication community comprising:

one or more shared controllers connected to one or more communication endpoints, wherein said one or more shared controllers is behind a firewall;

at least one individual controller connect to a single communication endpoint, wherein said at least one individual controller is behind another firewall; and

an external controller in connection to said one or more shared controllers and said at least one individual controller, wherein said external controller facilitates communication between ones of said one or more communication endpoints and said single communication endpoint.

10. The communication community of

claim 9

further comprising:

a verification utility within said external controller for verifying one or more communication requests from one or more of said one or more shared controllers and said individual controller.

11. The communication community of

claim 9

further comprising:

a security key repository within each of said one or more shared controllers and said individual controller, wherein said one or more shared controllers and said individual controller transmit a security key for verification by said external controller for each communication request issued to said external controller.

12. The communication community of

claim 9

further comprising:

an external communication interface within said external controller for communicating with a second communication community.

13. The communication community of

claim 12

wherein said external controller communicates with a central communication controller to establish a communication channel with said second communication community.

14. A method for communicating comprising:

establishing a first communication connection between a first internal controller behind a firewall and a first external controller in a first communication community, wherein a first communication request is initiated by a local communication device connected to the first internal controller;

establishing a second communication connection between a second internal controller behind a second firewall and a second external controller in a second communication community, wherein a second communication request is initiated by a remote communication device connected to the second internal controller;

responsive to one or more of the first and second communication request requesting communication between the local communication device and the remote communication device, establishing a third communication connection between the first and second external communication controllers; and

transmitting communication data between the first and second communication communities through the third communication connection.

15. The method of

claim 14

further comprising:

verifying at said first external controller said first communication request prior to said establishing said first communication connection;

verifying at said second external controller said second communication request prior to said establishing said second communication connection.

16. The method of

claim 15

further comprising:

issuing a third communication request between said first and second external communication controllers; and

verifying said third communication request prior to said establishing said third communication connection.

17. The method of

claim 14

wherein said establishing a third communication request comprises:

issuing a third communication request to a central communication controller;

establishing a first central communication channel between said first external communication controller and said central communication controller;

issuing a fourth communication request from said central communication controller to said second external communication controller; and

establishing a second central communication channel between said central communication controller and said second external controller.

18. The method of

claim 17

further comprising:

verifying said third communication request at said central communication controller prior to said establishing said first central communication channel;

verifying said fourth communication request prior to said establishing said second central communication channel.

US11/403,548 2006-04-13 2006-04-13 System and method for a communication system Active 2033-02-01 US8560828B2 (en)

Priority Applications (2)

Application Number	Priority Date	Filing Date	Title
US11/403,548 US8560828B2 (en)	2006-04-13	2006-04-13	System and method for a communication system
PCT/US2007/066451 WO2007121255A2 (en)	2006-04-13	2007-04-11	System and method for a communication system

Applications Claiming Priority (1)

Application Number	Priority Date	Filing Date	Title
US11/403,548 US8560828B2 (en)	2006-04-13	2006-04-13	System and method for a communication system

Publications (2)

Publication Number	Publication Date
US20070245412A1 true US20070245412A1 (en)	2007-10-18
US8560828B2 US8560828B2 (en)	2013-10-15

Family

ID=38606406

Family Applications (1)

Application Number	Title	Priority Date	Filing Date
US11/403,548 Active 2033-02-01 US8560828B2 (en)	2006-04-13	2006-04-13	System and method for a communication system